Network connection request method and apparatus

ABSTRACT

A network apparatus receives a connection request from a client computing device toward a target computing device. Next a target identifier that identifies the target computing device is extracted from the connection request. The connection request is sent to the target computing device and a reputation request with the target identifier is sent to a web resource analyser engine. In response to detecting that a response from the target computing device is received before a response from the web resource analyser engine, the response to the connection request from the target computing device is held by performing a rewrite in a target section of a user-space utility program rule and by using operating system kernel module in user-space memory area of the network apparatus. In response to a receipt of the response from the web resource analyser engine, the response to the connection request is released.

TECHNICAL FIELD

The present application relates generally to network security, andspecifically to methods and apparatuses for managing network connectionrequests.

BACKGROUND

In various network security solutions, outgoing connections must oftenbe authorized by an external service, such as a security serviceprovider or the like. The external service may be used to determinewhether the user is allowed to access the requested content or whetherthe content should be blocked, for example. However, the amount of timeit takes for both a response from the requested website and a responsefrom such external service checking the reputation of the requestedwebsite may be long and the user experience deteriorates.

There is a need for securing network connections while at the same timeenabling also time efficient usage of resources.

SUMMARY

According to an aspect of the invention there is provided a method asspecified in claim 1.

According to other aspect of the invention, there is provided anapparatus in a computer network system as specified in claim 12.

According to other aspect of the invention, there is provided anon-transitory computer-readable medium comprising stored program code,the program code comprised of computer-executable instructions that,when executed by a processor device, causes the processor device tooperate as specified in claim 20.

Those skilled in the art will appreciate the scope of the disclosure andrealize additional aspects thereof after reading the following detaileddescription of the embodiments in association with the accompanyingdrawing figures.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawing figures incorporated in and forming a part ofthis specification illustrate several aspects of the disclosure and,together with the description, serve to explain the principles of thedisclosure.

FIG. 1 illustrates an example system environment for a network apparatusin a computer network system;

FIGS. 2A and 2B illustrate methods, according to embodiments;

FIG. 3 is a block diagram of an apparatus, according to one embodiment;

FIG. 4 a signal sequence diagram illustrating a process, according toone embodiment; and

FIG. 5 is a flow diagram illustrating a process, according to oneembodiment.

DETAILED DESCRIPTION

The embodiments set forth below represent the information to enablethose skilled in the art to practice the embodiments and illustrate thebest mode of practicing the embodiments. Upon reading the followingdescription in light of the accompanying drawing figures, those skilledin the art will understand the concepts of the disclosure and willrecognize applications of these concepts not particularly addressedherein. It should be understood that these concepts and applicationsfall within the scope of the disclosure and the accompanying claims.

Any flowcharts discussed herein are necessarily discussed in somesequence for purposes of illustration, but unless otherwise explicitlyindicated, the embodiments are not limited to any particular sequence ofsteps. The use herein of ordinals in conjunction with an element issolely for distinguishing what might otherwise be similar or identicallabels, such as “first message” and “second message,” and does not implya priority, a type, an importance, or other attribute, unless otherwisestated herein. The term “about” used herein in conjunction with anumeric value means any value that is within a range of ten percentgreater than or ten percent less than the numeric value.

As used herein and in the claims, the articles “a” and “an” in referenceto an element refers to “one or more” of the element unless otherwiseexplicitly specified. The word “or” as used herein and in the claims isinclusive unless contextually impossible. As an example, the recitationof A or B means A, or B, or both A and B.

The figures and the following description relate to the exampleembodiments by way of illustration only. Alternative embodiments of thestructures and methods disclosed herein will be readily recognized asviable alternatives that may be employed without departing from theprinciples of what is claimed.

FIG. 1 illustrates schematically an example of a system environment fora network apparatus 120. The system environment illustrated in FIG. 1includes a local network 100 that may include one or more computingdevices 110 with a client application 180, the network apparatus 120, alocal gateway 150, and an analysis engine/database 160. The examplesystem also includes a service cloud 130, such as a network operator'scloud or a security service provider's cloud and the Internet 140. Theanalysis engine 160, such as a web resource analysis engine, may residein the local network, in the service cloud 130 or elsewhere in thenetwork. There may also be more than one analysis engines 160 thusenabling at least part of the analysis being processed in more than oneanalysis engines. Alternative embodiments may include more, fewer, ordifferent components from those illustrated in FIG. 1, and thefunctionality of each component may be divided between the componentsdifferently from the description below. Additionally, each component mayperform their respective functionalities in response to a request from ahuman, or automatically without human intervention.

In an embodiment, the client computing device 110 may communicate (A)via the network apparatus 120 residing in the local network 100. Inanother embodiment, the device 110 may communicate (B) directly via anetwork gateway or a modem 150, for example when the device is not inthe local network 100. In an embodiment, the network operators maydeploy a service platform on their broadband gateways 150 provided tocustomers and in their own cloud environments 130. The client device(s)110 may also be configured to use the services provided by the servicecloud 130 by one or more applications 180 installed on the device(s)110.

The device 110 may be any computer device having Internet browsingcapabilities, such a smartphone, laptop or a tablet. The networkapparatus 120 may collect information e.g. about the local network 100,including data about the network traffic through the local network 100and data identifying devices in the local network 100, such as any smartappliances and user devices 110. The network apparatus 120 is configuredto receive traffic control instructions from the analysis engine 160 andto process network traffic based on the traffic control instructions.Processing the network traffic through the local network 100, forexample, can include restricting where network traffic can travel,blocking network traffic from entering the local network 100,redirecting a copy of network traffic packet or features of thosepackets to the analysis engine 160 for analysis (e.g., for maliciousbehaviour), or quarantining the network traffic to be reviewed by a user(e.g., via the user device 110) or network administrator. In someembodiments, the functionality of the network apparatus 120 is performedby a device that is a part of the local network 100, while in otherembodiments, the functionality of the network apparatus 120 is performedby a device outside of the local network 100.

The network apparatus 120 may be configured to monitor traffic thattravels through the local network 100. In some embodiments, the networkapparatus 120 can be a device that is a part of the local network 100.The network apparatus 120 can be connected to the local network 100using a wired connection (e.g. via an Ethernet cable connected to arouter) or using a wireless connection (e.g. via a Wi-Fi connection). Insome embodiments, the network apparatus 120 can comprise multipledevices. In some embodiments, the network apparatus 120 can also performthe functions of the local network router 150 for the local network 100.

In some embodiments, the network apparatus 120 may intercept traffic inthe local network 100 by signalling to the user device 110 that thenetwork apparatus 120 is router 150. In some embodiments, the networkapparatus 120 replaces the default gateway or gateway address of thelocal network 100 with its own internet address. In some embodiments,the local network 100 can be structured such that all network trafficpasses through the network apparatus 120, allowing the network apparatus120 to physically intercept the network traffic. For example, thenetwork apparatus 120 can serve as a bridge through which all networktraffic must travel to reach the router 150 of the local network 100.

The analysis engine 160 may receive and analyze network traffic data(e.g., forwarded by the network apparatus 120) associated with deviceson the computer network. The analysis engine 160 may be implementedwithin a remote system (e.g., a cloud server) or within the localnetwork 100. The analysis engine 160 may perform operations that arecomputationally expensive for the network apparatus 120 to perform. Insome embodiments, the analysis engine 160 replaces the network apparatus120 by performing the functionalities of the network apparatus 120. Inthese embodiments, the local network router 150 may be configured toforward network traffic to the analysis engine 160. In some embodiments,the analysis engine 160 communicates with other devices on the computernetwork. In some embodiments, the analysis engine 160 is integrated intothe network apparatus 120.

The local network 100 is a local area network (LAN) that comprises theone or more devices 110, network apparatus 120, and local network router150. The local network 100 may be used for a number of purposes,including a home network or a network used by a business. The localnetwork 100 is connected to the internet 140, allowing devices withinthe local network 100, including the user device 110, to communicatewith devices outside of the local network 100. The local network 100 maybe a private network that may require devices to present credentials tojoin the network, or it may be a public network allowing any device tojoin. In some embodiments, other devices, like personal computers,smartphones, or tablets, may join local network 100.

The internet 140 and the local network 100 may comprise any combinationof LANs and wide area networks (WANs), using both wired and wirelesscommunication systems. In some embodiments, the internet 140 and thelocal network 100 use standard communications technologies andprotocols. Data exchanged over the internet 140 and the local network100 may be represented using any suitable format, such as hypertextmarkup language (HTML) or extensible markup language (XML). In someembodiments, all or some of the communication links of the internet 140and the local network 100 may be encrypted using any suitable techniqueor techniques.

The user/client device 110 is a computing device capable of receivinguser input as well as transmitting and/or receiving data via theInternet 140 or local network 100. In some embodiments, a user device110 is a conventional computer system, such as a desktop or a laptopcomputer. Alternatively, a user device 110 may be a device havingcomputer functionality, such as a personal digital assistant (PDA), amobile telephone, a smartphone, or another suitable device. The userdevice 110 is a network device configured to communicate with theInternet 140 or local network 100. In some embodiments, the user device110 executes an application (e.g., application 180) allowing a user ofthe user device 110 to interact with other network devices, such as thesmart appliances, the network apparatus 120, the gateway 150, or theanalysis engine 160. For example, the user device 110 executes a browserapplication to enable interaction between the user device 110 and thenetwork apparatus 120 via the local network 100.

The client application 180 is a computer program or software applicationconfigured to run on the user device 110. For example, the application180 is a web browser, a mobile game, an email client, or a mappingprogram. The user device 110 can have any number of applications 180installed. The application 180 may communicate, via the user device 110,with devices inside and outside of the local network 100.

FIG. 2A is a flow diagram illustrating an embodiment of a method at anetwork apparatus connecting one or more computing devices to a computernetwork. The network apparatus monitors connection requests relating tomonitored network traffic passing through the network apparatus.

In 200, a connection request from a client computing device toward atarget computing device is received by the network apparatus.

In 201, the network apparatus extracts target identifier data from theconnection request that identifies the target computing device.

In 202, the network apparatus sends the connection request to the targetcomputing device.

In 203, the network apparatus sends a reputation request with the targetidentifier to a web resource analyser engine.

In 205, in response to detecting that a response to the connectionrequest from the target computing device is received before a responsefrom the web resource analyser engine, the response to the connectionrequest from the target computing device is held by performing a rewritein a target section of a user-space utility program rule and by using anoperating system kernel module in user-space memory area.

In 206, in response to a receipt of response from the web resourceanalyser engine, the response to the connection request is released fromhold.

FIG. 2B is a flow diagram illustrating another embodiment of a method ata network apparatus connecting one or more computing devices to acomputer network. The network apparatus monitors connection requestsrelating to monitored network traffic passing through the networkapparatus.

In 200, a connection request from a client computing device toward atarget computing device is received by the network apparatus.

In 201, the network apparatus extracts target identifier data from theconnection request that identifies the target computing device.

In 202, the network apparatus sends the connection request to the targetcomputing device.

In 203, the network apparatus sends a reputation request with the targetidentifier to a web resource analyser engine.

In 204, a timer is initiated.

In 205, in response to detecting that a response to the connectionrequest from the target computing device is received before a responsefrom the web resource analyser engine, the response to the connectionrequest from the target computing device is held by performing a rewritein a target section of a user-space utility program rule and by using anoperating system kernel module in user-space memory area.

In 207, in response to an earliest occurrence of one of two events, theresponse to the connection request is released, wherein the two eventscomprise an expiration of the timer and a receipt of response from theweb resource analyser engine.

In an embodiment, the target identifier comprises a URL (UniformResource Locator) extracted from a header (when an HTTP(S) request tothe target computer is made) or SNI (Server Name Indication) extractedfrom a TLS (Transport Layer Security) handshake.

In an embodiment, the network apparatus is installed on a networkgateway.

In an embodiment, in response to detecting expiration of the timerbefore the receipt of the response from the web resource analyser enginehas been received, the connection request is approved.

In an embodiment, the method further comprises in response to receipt ofthe response from the web resource analyser engine before expiration ofthe timer, approving the connection request or denying the connectionrequest based on the response from the web resource analyser engine.

In an embodiment, the method further comprises in response to detectingthat the response from the web resource analyser engine is receivedbefore a response from the target computing device, approving or denyingthe connection request based on the response from the web resourceanalyser when the response from the target computing device is received.

In an embodiment, the method further comprises maintaining a local cacheof reputation request response data received from the web resourceanalyser engine and in response to detecting a further connectionrequest to the target computing device, wherein respective reputationrequest response data of the same target computing device being alreadyin the local cache of reputation request response data, approving ordenying the further connection request between the client computingdevice and the target computing device without sending a furtherreputation request to the web resource analyser engine.

In an embodiment, the user-space utility program comprises akernel-level iptables component used for configuring IP packet filterrules.

In an embodiment, the operating system kernel module comprises anetfilter queue used for managing network packets in iptablescomponents.

In an embodiment, the method further comprises determining, based on theresponse from the web resource analyser engine, that the targetcomputing device belongs to a third-party tracker and, based ondetermining that the target computing device belongs to the third-partytracker, blocking connections between the client computing device andthe target computing device, wherein blocking the connection between theclient computing device and the target computing device furthercomprises one of: sending a HTTP (Hypertext Transfer Protocol) or a TLS(Transport Layer Security) message indicating a message was received andno content is to be displayed, and terminating the connection.

In an embodiment, the timer is initiated for setting a predeterminedtime period to hold the response to the connection request from thetarget computing device.

Turning now to FIG. 3 that is showing an example of a network apparatussuch as a gateway.

A processor is provided that is configured to detect connection requestsrelating to monitored network traffic passing through the networkapparatus. Further, the processor 304 is configured to interrupttransmission of connection requests from a client computing devices to atarget computing devices and to extract data identifying the targetnetwork computer based on the connection request. The processor isfurther configured to allow transmission of the connection request tocontinue to the target computing device and to transmit a reputationrequest comprising the extracted data identifying the target computingdevice to a web resource analyser engine. In some embodiments, theanalysis can also be implemented in some other device internal to theapparatus 300. The processor further monitors receiving responses to theconnection request from the target computing device and to thereputation request from the web resource analyser engine. In response todetecting that the response to the connection request from the targetcomputing device is received before the response to the reputationrequest, the processor is configured to hold the response to theconnection request from the target computing device by performing arewrite in a target section of a user-space utility program rule and byusing operating system kernel module in user-space memory area of thenetwork apparatus. In response to a receipt of the response from the webresource analysis engine, the processor is configured to release theresponse from hold.

In an embodiment, the processor 304 is further configured to store datasuch as data related to the connection requests, state information,reputation data and domain data to the database 306. The database 306 isshown in this example as being located at the apparatus 300, but it willbe appreciated that the apparatus 304 may alternatively access a remotedatabase. The database 304 may comprise data collected from user devicesor reputation data previously collected from the web resource analyzerengine.

The apparatus 300 is provided with a receiver 301 that receives theconnection requests and responses. A transmitter 302 is also providedfor communication with the user device and/or the outside server.

In the above description, the apparatus 300 is described as havingdifferent transmitter and receiver. It will be appreciated that thesemay be disposed in any suitable manner, for example in a singletransmitter and receiver, a transceiver and so on. Similarly, a singleprocessor 304 is described but it will be appreciated that the functionof the processor may be performed by a single physical processor or bymore than one processors.

The apparatus 300 is also provided with a non-transitory computerreadable medium in the form of a memory 305. The memory may be used tostore a computer program 307 which, when executed by the processor 300,causes the processor 304 to perform the functions described above. Thecomputer program 307 may be provided from an external source. In anembodiment, at least some or even all of the functions of the method canbe implemented in any apparatus, for example the user device or aserver.

FIG. 4 shows an example general flow diagram of a lookup according to anembodiment.

A network apparatus, such as a home network router (CPE) 400 hasreceived a connection request (410) to a malicious site. At the networkgateway 401, when an HTTP(S) request to the target malicious site 402 ismade, a URL is extracted from the header or in the case of HTTPS, an SNIis extracted from a TLS handshake. The request is allowed to continue(416) out to the target malicious site 402 and at the same time arequest containing the URL/SNI (414) is sent to the URL analyser 404 foran URL check (415) and a timer is started.

If a response (420) from the target malicious site 402 is received afterthe response 417, 418, 419 from the URL analyser 404, then the responseis immediately processed (422), that is, rewritten, dropped or allowedthrough depending on the URL analyser 404 result.

If the response (420) from the target malicious site 402 is receivedbefore the response from the URL analyser 404, the response is held(421) on the network gateway 401 until the response from the URLanalyser is received. Then the response is processed, that is,rewritten, dropped or allowed through depending on the URL analyser 404result.

In an embodiment, if the response from the target malicious site 402 isreceived and the result from the URL analyser 404 takes longer than apredefined time limit measured with the timer, then the response is helduntil the timer has expired and the response is allowed through.

Thus, the maximum waiting time a user experiences since sending therequest can be timeout of the timer or the response time from the targetmalicious site depending on the response time of the target malicioussite.

In an embodiment, a local cache 403 can be used on the gateway thatstores URL analyser responses. This enables addressing subsequentrequests to the same target malicious site without any delay. Thus,before a request to the URL analyser 404 is sent, a cache lookup processcan be made (411, 412, 413).

Holding the response from the target site while waiting for the URLanalyser response requires also consideration. For example, holding theresponse in a match section of an iptables may lead into an unstablestate if the local interface is taken down during the hold. Thus, in anembodiment, holding of the response is implemented by performing therewrite in a target section of an iptables rule and using NFQUEUE inuser-space to hold a data packet while the URL analyser response isbeing waited. Example flow of Linux kernel to know if a packet is beingheld and thus correctly manage its memory allowing safe operations ifthe local interface is destroyed is illustrated in FIG. 5.

In 500, target data (URL/SNI) is extracted. In 501, it is determinedwhether the target data is already in cache. If yes, then in 505response from the target is waited. If no, then at user-space level 550NFQUEUE is used to hold the data packet 502 and in 503 cloud lookupresults for the reputation analysis are waited. After the reputationanalysis is received, then the data packet is released 504. In 506,based on the received response from the reputation analysis, theconnection between the computer device and the target is managed. Forexample, if the connection is to be blocked, then 508 is entered wherethe response can be rewritten or if the connection is allowed, then 509is entered to release the connection.

Iptables is a user-space utility program allowing configuring IP packetfilter rules of a firewall. The filters are organized in differenttables containing chains of rules for how to treat network trafficpackets. Different kernel modules and programs can be used for differentprotocols. NFQUEUE (Netfilter queue) is a kernel and user mode modulefor managing network packets in iptables. It enables writing netfiltertarget modules in user-space. NFQUEUE provides access to packet matchedby the iptables rule in Linux.

According to embodiments of the invention, the connection requests aremanaged in a way that the amount of time waiting for a response from therequested resources is minimized while at the same time the security ofthe requested resources can be determined by an external service.

It will be appreciated that various modifications may be made to theabove described embodiments without departing from the scope of thepresent invention. For example, the database or web resource analysisengine may be in separate entities to the apparatus, in which case theapparatus will send queries remotely to the analysis engine.

The steps, signalling messages and related functions described above inrelation to the figures are in no absolute chronological order, and someof the steps may be performed simultaneously or in a different order.Other functions may also be executed between the steps and othersignalling may be sent between the illustrated ones. Some of the stepscan also be left out or replaced by a corresponding step. The systemfunctions illustrate a procedure that may be implemented in one or morephysical or logical entities.

The techniques described herein can be implemented by various means. Anapparatus or system that implements one or more of the describedfunctions may comprise not only existing means but also means forimplementing one or more functions of a corresponding apparatus that isdescribed with an embodiment. An apparatus or a system may also compriseseparate means for each separate function. For example, the embodimentsmay be implemented in one or more modules of hardware or combinationsthereof. For software, implementation can be through modules, forexample such procedures and functions that perform the functionsdescribed. The software code may be stored in any suitable data storagemedium that is readable by processors, computers, memory units orarticles of manufacture, and may be executed by one or more processorsor computers. The data storage medium or memory unit or database may beimplemented within the processor or computer apparatus, or as anexternal part of the processor or computer apparatus.

The programming, such as executable code or instructions, electronicdata, databases or other digital information may be stored into memoriesand can include a processor-usable medium embodied in any computerprogram product which can contain, store, or maintain programming, dataor digital information for use by or in connection with an instructionexecution system, such as the processor.

An embodiment provides a non-transitory computer-readable mediumcomprising stored program code comprised of computer-executableinstructions. The computer program code comprises one or more codes forperforming the process steps according to the described exampleembodiments.

Although the invention has been described in terms of preferredembodiments as set forth above, it should be understood that theseembodiments are illustrative only and that the claims are not limited tothose embodiments. Those skilled in the art will be able to makemodifications and alternatives in view of the disclosure which arecontemplated as falling within the scope of the appended claims. Eachfeature disclosed or illustrated in the present specification may beincorporated in the invention, whether alone or in any appropriatecombination with any other feature disclosed or illustrated herein.

Those skilled in the art will recognize improvements and modificationsto the preferred embodiments of the disclosure. All such improvementsand modifications are considered within the scope of the conceptsdisclosed herein and the claims that follow.

What is claimed is:
 1. A method comprising: receiving, by a networkapparatus comprising a processor device, a connection request sent froma client computing device toward a target computing device; extracting,from the connection request, a target identifier that identifies thetarget computing device; sending, by the network apparatus, theconnection request to the target computing device; sending, by thenetwork apparatus, a reputation request with the target identifier to aweb resource analyser engine; in response to detecting that a responseto the connection request from the target computing device is receivedbefore a response from the web resource analyser engine, holding theresponse to the connection request from the target computing device byperforming a rewrite in a target section of a user-space utility programrule and by using an operating system kernel module in a user-spacememory area of the network apparatus; and in response to an earliestoccurrence of one of two events, releasing the response to theconnection request, wherein the two events comprise an expiration of atimer and a receipt of the response from the web resource analyserengine.
 2. The method according to claim 1, wherein the targetidentifier comprises a Uniform Resource Locator (URL) extracted from aheader or a Server Name Indication (SNI) extracted from a TransportLayer Security (TLS) handshake.
 3. The method according to claim 1,wherein the network apparatus is installed on a network gateway.
 4. Themethod according to claim 1, the method further comprising in responseto detecting the expiration of the timer before the receipt of theresponse from the web resource analyser engine, approving the connectionrequest.
 5. The method according to claim 1, the method furthercomprising in response to receipt of the response from the web resourceanalyser engine before expiration of the timer, approving the connectionrequest or denying the connection request based on the response from theweb resource analyser engine.
 6. The method according to claim 1, themethod further comprising in response to detecting that the responsefrom the web resource analyser engine is received before the response tothe connection request from the target computing device, approving ordenying the connection request based on the response from the webresource analyser engine when the response to the connection requestfrom the target computing device is received.
 7. The method according toclaim 1, the method further comprising maintaining a local cache ofreputation request response data received from the web resource analyserengine and in response to detecting a further connection request to thetarget computing device, wherein respective reputation request responsedata of a same target computing device being already in the local cacheof reputation request response data, approving or denying the furtherconnection request without sending a further reputation request to theweb resource analyser engine.
 8. The method according to claim 1,wherein the user-space utility program comprises a kernel-level iptablescomponent used for configuring IP packet filter rules.
 9. The methodaccording to claim 1, wherein the operating system kernel modulecomprises a netfilter queue used for managing network packets iniptables components.
 10. The method according to claim 1, the methodfurther comprising determining, based on the response from the webresource analyser engine, that the target computing device belongs to athird-party tracker and, based on determining that the target computingdevice belongs to the third-party tracker, blocking connections betweenthe client computing device and the target computing device, whereinblocking the connection between the client computing device and thetarget computing device further comprises one of: sending a HypertextTransfer Protocol (HTTP) or a Transport Layer Security (TLS) messageindicating a message was received and no content is to be displayed, andterminating the connection.
 11. An apparatus in a computer networksystem comprising: one or more processor devices; and a non-transitorycomputer-readable medium comprising stored program code, the programcode comprised of computer-executable instructions that, when executedby the one or more processor devices, cause the one or more processordevices to: receive a connection request sent from a client computingdevice toward a target computing device; extract, from the connectionrequest, a target identifier that identifies the target computingdevice; send the connection request to the target computing device; senda reputation request with the target identifier to a web resourceanalyser engine; in response to detecting that a response to theconnection request from the target computing device is received before aresponse from the web resource analyser engine, hold the response to theconnection request from the target computing device by performing arewrite in a target section of a user-space utility program rule and byusing an operating system kernel module in a user-space memory area ofthe network apparatus; and in response to an earliest occurrence of oneof two events, releasing the response to the connection request, whereinthe two events comprise an expiration of a timer and a receipt of theresponse from the web resource analyser engine.
 12. The apparatusaccording to claim 11, wherein the target identifier comprises a UniformResource Locator (URL) extracted from a header or Server Name Indication(SNI) extracted from a Transport Layer Security (TLS) handshake.
 13. Theapparatus according to claim 11, the one or more processor devices beingfurther configured to approve the connection request or deny theconnection request based on the response from the web resource analyserengine or approve the connection request based on the expiration of thetimer.
 14. The apparatus according to claim 11, the one or moreprocessor devices being further configured to maintain a local cache ofreputation request response data received from the web resource analyserengine and in response to detecting a further connection request to thetarget computing device, wherein respective reputation request responsedata of a same target computing device being already in the local cacheof reputation request response data, approve or deny the furtherconnection request without sending a further reputation request to theweb resource analyser engine.
 15. The apparatus according to claim 11,wherein the user-space utility program comprises a kernel-level iptablescomponent used for configuring IP packet filter rules.
 16. The apparatusaccording to claim 11, wherein the operating system kernel modulecomprises a netfilter queue used for managing network packets iniptables components.
 17. The apparatus according to claim 11, the one ormore processor devices being further configured to determine, based onthe response from the web resource analyser engine, that the targetcomputing device belongs to a third-party tracker, and based ondetermining that the target computing device belongs to the third-partytracker, block connections between the client computing device and thetarget computing device, wherein blocking the connection between theclient computing device and the target computing device furthercomprises one of: sending a Hypertext Transfer Protocol (HTTP) or aTransport Layer Security (TLS) message indicating a message was receivedand no content is to be displayed, and terminating the connection.
 18. Anon-transitory computer-readable medium comprising stored program code,the program code comprised of computer-executable instructions that,when executed by a processor device, causes the processor device to:receive a connection request sent from a client computing device towarda target computing device; extract, from the connection request, atarget identifier that identifies the target computing device; send theconnection request to the target computing device; send a reputationrequest with the target identifier to a web resource analyser engine; inresponse to detecting that a response to the connection request from thetarget computing device is received before a response from the webresource analyser engine, hold the response to the connection requestfrom the target computing device by performing a rewrite in a targetsection of a user-space utility program rule and by using an operatingsystem kernel module in a user-space memory area of the networkapparatus; and in response to an earliest occurrence of one of twoevents, releasing the response to the connection request, wherein thetwo events comprise an expiration of a timer and a receipt of theresponse from the web resource analyser engine.
 19. The non-transitorycomputer-readable medium according to claim 18, wherein thecomputer-executable instructions, when executed by the processor device,further cause the processor device to, in response to detecting theexpiration of the timer before the receipt of the response from the webresource analyser engine, approve the connection request.
 20. Thenon-transitory computer-readable medium according to claim 18, whereinthe computer-executable instructions, when executed by the processordevice, further cause the processor device to, in response to receipt ofthe response from the web resource analyser engine before expiration ofthe timer, approve the connection request or deny the connection requestbased on the response from the web resource analyser engine.